This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 047849f Fixed: Remote Code Execution (File Upload) Vulnerability
(OFBIZ-11948)
047849f is described below
commit 047849f42bf5cb69e28132b66a4a5907136188d8
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Feb 5 10:13:44 2022 +0100
Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948)
In SecuredUpload::isValidImageFile I initially used isValidText() and
thought
that decoding would be better so finally used isValidTextFile() instead. But
then valid images files are not passing. So this replaces isValidTextFile by
isValidText there.
Also while at it removes few other PHP tokens, now useless (hopefully, I
have
still to check encoded and encrypted PHP webshells), from
security::deniedWebShellTokens. The less tokens we have the better the
whole is
legible.
Improves related comments.
Modifies SecurityUtilTest::webShellTokensTesting accordingly
Conflicts handled by hand
framework/security/config/security.properties
framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
---
framework/security/config/security.properties | 15 ++++++++++-----
.../java/org/apache/ofbiz/security/SecuredUpload.java | 2 +-
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index cda4b36..cf49080 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -200,14 +200,19 @@
deniedFileExtensions=html,htm,php,php2,hph3,php4,php5,asp,aspx,ascx,jsp,jspx,cfm
#-- As it name says, allowAllUploads opens all possibilities
allowAllUploads=
#--
-#-- List of denied tokens often part of webshells
+#-- List of denied tokens often part of webshells. Note that, for now at
least, those are supposed to be used on a *nix system
#-- TODO.... to be continued with known webshell contents... a complete allow
list is impossible anyway...
-#-- eg:
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
#-- "freemarker" should be OK, should not be used in Freemarker templates, not
part of the syntax.
#-- Else "template.utility.Execute" is a good replacement but not as much
catching, who knows...
-deniedWebShellTokens=<%,<jsp:,<?,#!,freemarker,<script,javascript,%eval,@eval,<body>,<form,\
- import
os,passthru,exec,shell_exec,assert,str_rot13,system,base64_decode,chmod,mkdir,\
- fopen,fclose,new
file,import,upload,getfilename,download,getoutputstring,readfile
+#-- If you are sure you are safe for a token you can remove it, etc.
+deniedWebShellTokens=<%,<jsp,<?,#!,freemarker,<script,javascript,eval,<body>,<form,\
+ chmod,mkdir,fopen,fclose,new
file,import,upload,getfilename,download,getoutputstring,readfile
+
+
+#-- Popup last-visited time from database after user has logged in.
+#-- So users can know of any unauthorised access to their accounts.
+#-- Default is false.
+afterlogin.lastvisit.show=
#-- uri used for login (cf jira OFBIZ-12047)
#-- it's a list, each uri should be separated by comma, without space
diff --git
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 0cd9a70..53cf774 100644
---
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -243,7 +243,7 @@ public class SecuredUpload {
|| imageFormat.equals(ImageFormats.TIFF)
|| imageFormat.equals(ImageFormats.JPEG))
&& imageMadeSafe(fileName)
- && isValidTextFile(fileName);
+ && isValidText(fileName, new ArrayList<>());
}
/**
